vPro in Action: First Production Deployment of Intel® vPro in China

Jackson He

A technology is only as good as the value it delivers to the business. Intel® vPro is no exception. We can talk about the technical merits and tricks of how to deploy it wisely all day long - they are all very important. But in the end of the day, it is how the end users view the technology and value it in their day-to-day business operations. To this end, we have conducted quite many end user pilots. One of the successful stories was to deployment of Intel® vPro at China Ministry of Railways (MOR) Jinan Bureau. It was the first production deployment of Intel® vPro in China.

Before we dive into the story, here is some basic fact of MOR and Jinan Railway Bureau:

• MOR is the 2nd largest ministry in China with nearly 2 million employees. It is responsible for construction, maintenance, and operation of 80,000 km railway throughout China (~120,000 km by 2015).

• Jinan Railway Bureau, which oversees a major transport artery in eastern China that connects four of the country's most important export hubs, has seen its services improve by leaps and bounds recently.

Well, so what? What are the business problems that Jinan Railway Bureau has that warrant a solution based Intel® vPro Technology? Here is the problem statement the customer told us:

• With China's railway moving into high-speed railway operations (200KM/Hr in 2007 and 300KM/Hr by 2010), Jinan Railway Bureau requires near real-time data collected from railway lines to facilitate overall system management and train security/safety administration.

• However, frontline rail workers possess very few or no PC skills, a bottleneck that can potentially cause delays in the Bureau's railway management.

• Additionally, casual PC mistakes on railway lines can cause issues that require the onsite repair of IT support staff, who could hundreds of kilometers away at the Jinan Bureau Headquarter, a time-consuming and labor-intensive process that impacts critical PC usage.

• To lower the TCO (total cost of ownership), MOR started IT infrastructure consolidation and centralized IT staff at major hubs. Jinan is one of the major hubs. It will heavily rely on remote management technology to operate. However, when a PC is dead, there is not much they can do remotely.

This is a perfect case for Intel® vPro Technology and Intel® Active Management Technology. A solution based on Intel® vPro Technology was piloted in mid 2006 and 150 vPro systems went into production in 2007 the same day when China MOR operation speeded-up to 200KM/Hr operation - a key milestone in China railway history. Here is what covered in the solution:

• In planning the new Permanent Way Management Information System (PWMIS) deployment for Jinan Railway Bureau, the IT department of China MOR looked into adding manageability features at the PC hardware level to tackle manpower issues.

• Hardware-based PC management capabilities provide Jinan Railway Bureau with the ability to better monitor and recover their PCs in daily operations, bypassing the hassle of on-site PC operations and regular maintenance.

• In addition, Jinan Railway Bureau enjoys added flexibility in embedding hardware-based management features directly into their specially developed railway management software applications.

Customers are really happy with this solution. They were on stage with Intel for vPro product launch and share their successful experience - "In choosing Intel® vPro Technology, we not only considered performance issues, but also investment protection issues. Intel vPro Technology is a forward-looking architecture that will serve Jinan Railway Bureau well into the next decade." stated by Mr. Liu Teng, IT Director of Jinan Railway Bureau.

What next? China MOR is very interested in Intel® vPro success in Jinan. Several other railway bureaus are following - Shanghai, Lanzhou, and Beijing are following the example and apply Intel® vPro Technology in different applications. We are working very closely with our China MOR customers to make vPro Technology a standard for their IT operations. Stay tuned for more exciting news of Intel® vPro.

AMT Usage Models for 2006 -- vPro Expert Center

o The IT management console is able to “see” all PCs physically connected to the network, regardless of their power state.

o Count your networked PCs even when

powered down or the OS is inoperable

o Faster, more accurate than manual audits

o Assist compliance with government regulations

o Accurately inventory hardware and software assets

o Third-party software can now store hardware and software asset information in tamper-resistant, nonvolatile memory on vPro™ technology-based PCs, where it can be securely accessed by authorized staff from the IT console.

o Remote hardware inventories assist with upgrade planning

or lifecycle management

o Save money on license fees with accurate software inventories

o Diagnose, reboot, and repair PCs down-the-wire

o PC unable to boot --> PC sends an alert --> PC remotely rebooted from standard image on management server --> Technician diagnoses problem and repairs issue as appropriate (remote SW update, local HW install)

o Reduce the number of deskside visits

o Rapid response gets users up and running quickly

o An agent by definition is a complex software entity capable of acting with a certain degree of intelligence and autonomy in order to accomplish specific tasks or support the tasks of other software entities.]

o Keep agents operating correctly

o Management or security agent is continuously checking in with Intel vPro technology --> Management agent fails to check in --> PC alerts IT console that management agent is missing or non-functioning --> IT management console repairs non-working management agent

o Management agents in place ensure more accurate PC asset inventory

o Push security updates to PCs even if they are powered off

o IT Management Console reviews agent software report in management database for client DAT version to identify clients requiring update --> Unique encrypted power-on command issued by IT console --> Virus DAT file on PC updated and rebooted if necessary --> Encrypted power-off command sent to PC

o Encrypted, remote deployment of patches without user interruption

o Reduce time required to deploy patches, reduces vulnerability

o Filter harmful viruses and isolate infected PCs

o Hardware filters add a new level of security to your PC fleet

o Isolation helps prevent infected PCs from spreading viruses

o Keep agents operating correctly

o Security agents in place reduce IT vulnerability

o Management or security agent is continuously checking in with Intel vPro technology --> Security agent fails to check in --> PC alerts IT console that security agent is missing or non-functioning --> IT management console repairs non-working security agent

o Save valuable energy with the use of energy management policy software and Intel® vPro™ processor technology

o IT console sets Energy Management Policy with agent --> System powered down when inactive, based on policy --> System can be reliably activated for maintenance via secure management channel --> Energy Management agent protected via agent presence monitor

o Enterprise policy centrally managed & tamper resistant

o Agent can report energy usage and savings back to console

-Kelsey Witherow

It's time for a new release of the Intel AMT Developer Tool Kit. Version v0.45 was released Saturday morning with a bunch more bug fixes and improvements. People ask me what the formal road map for the DTK is and I answer that there is none, its customer driven and I constantly improve many features. Of course, I have my ideas where I am going with this, but I am always looking for suggestions.

Let's look at a few new features in this release:

Intel AMT Commander can now auto-detect and connect to LMS. In the past, only Intel AMT Outpost could connect to the local Intel AMT interface. In this new release, Intel AMT Commander will automatically detect and connect to LMS. So you can direct Commander to connect to "localhost" enter the username and password and it will work. Currently, you can't do much, on AMT 2.5 and higher systems, Intel AMT Commander will display the Intel AMT event log.

Intel AMT Commander re-branding. It's now easier than ever to add branding to Commander, just create a "branding" folder under Intel AMT Commander's executable and put a set of bitmaps in the directory. The default bitmaps will be replaced the next time Commander is run. You can find all the details in the readme.txt file of the DTK. By the way, it's perfectly fine to re-brand and ship Commander or any of the Intel AMT DTK tools. For example: To include with Intel AMT motherboards, etc.

Improves Intel AMT Stack. The Intel AMT stack built in C# on which Intel AMT Commander and the other tools are built on is improving all the time. In this version, I took special care to clean up the "AmtSystem" class. It's the root class for all of the Intel AMT functionality. For a quick sample on how to use the stack, look at the "IAmtCmd" project in the DTK source code.[Intel AMT Developer Tool Kit|http://softwareblogs.intel.com/wordpress/wp-content/uploads/2007/12/intel-amt-dtk-blog-v045.mp3]

Intel AMT Developer Tool Kit v0.45 Audio Blog (.mp3)

Ylian (Intel AMT Blog)

Mike Seawright, Terry Cutler & I came together to discuss Activation.

Here's a quick excerpt: "We have studies that show that on the laptop or notebook side, it saves you $50 per year and on the desktop side it saves you approximately $230 per year by utilizing the vPro technology," says Mike Seawright, of the enterprise solutions sales group. In other words, it's worth it to go all the way through the activation process now, because otherwise, "you're losing out on that cost savings." Terry Cutler, also of the enterprise solutions sales group, says it differently: "I'm more than happy for people to buy the technology, but I think they'd be even better off if they'd actually use the technology."

If you have a question or would like to have more details please let Mike, Terry or I know..

One of the things that make a community a great place is to share known issues, BKM's & workarounds so we all can learn together. I also was out last week at an activation and wish I could have shown the USB matrix of what keys work & don't. Well, here's a new wiki we started today was around this very concept. Michele has started a WIKI that she is going to update around the Issues, BKM's & workarounds.

http://communities.intel.com/docs/DOC-1247

If there is something we should add please let michele now..

Craig & I sat down to show a few things on what system defense can do.. Here's a quick intro on Craig and look for more video's on the different uses of SD coming shortly.

If you would like to see if System Defense can do something or not, let Craig know..

here's his first two video's - http://communities.intel.com/docs/DOC-1278

Quick Guide - Out of Band Console Error - Current User Can't View This Page

A number of issues have arisen with a common symptom. When clicking on a provisioning node for Out of Band Management Solution, A sequence of errors appear at the bottom of the page. The causes vary, so it is important to understand the extend of the actual issue so that the proper resolution can be used to resolve the issue. These errors include:

• Current User Can't View This Page

• Current User Can't Change Settings on This Page

Introduction

You've just installed or Upgraded Altiris Out of Band Management Solution, including the Intel SCS component, and the Provisioning console pages are throwing the following error:

• Error connecting to the Intel® AMT Setup and Configuration Server. Verify that Intel® AMT Setup and Configuration Server security settings are configured and AMTConfig service is running. See documentation for details on troubleshooting the Intel® Setup and Configuration Server installation.

• The connection to the database has been reset

• Current User Can't View This Page

• Current User Can't Change Settings on This Page

The console page that loads will be completely grayed out and no functions can be used. See this screenshot for an example of this error:

Issue Causes

Thus far we have three known causes to this issue. The problems are details in this section, with the resolutions corresponding by number under the Issue Resolutions section. Potentially the following basic environmental items may contribute to the cause of this issue:

1. A silent install conducted by the Out of Band Management installation is unable to authenticate and fails.

2. Microsoft SQL Server 2000 is a common thread among the issues I've worked on.

3. Having SQL Server off box from the Altiris Notification Server is another factor that appears to be common.

NOTE: These items are theory only at this point, but may help in identifying this issue.

*I. SQL Security Model</stroIntel SCS database only supports a mixed-mode security model in SQL. By default the automatic scripted install for Intel SCS conducted silently when installing Out of Band Management will capture any warnings or errors, and will allow an install even if SQL is only set to Windows Only mode. Both SQL 2000 and 2005 have the ability run SQL in one or the other modes.</p>

The two security models operate as follows:

1. Windows Only Authentication - This mode requires all security users to be a member of the local Windows computer security groups, or part of a Domain with rights to the local SQL Server.

2. Windows and SQL Authentication (Mixed Mode) - This mode works the same way with Windows or Domain users as the Windows Only mode, but adds the ability to define SQL specific users. This includes the common SA account that defaults as a Database Enterprise Administrator.

The way Intel SCS is architected, the mode must be set to Windows and SQL Authentication (Mixed Mode).

II. File Access and Permissions

During the install we've seen a number of file access and permission issues. These stem from either having a file locked during the installation, or having previous failed install steps setting incorrect permissions on the Intel SCS registry keys. Often it is difficult to tell where the file or registry permission problem lies, but the error thrown in a popup during the Intel SCS install is the same:

LaunchAppAndWait failed!

Failed to add login user

Error code: 104

To discover where the actual permission issue lies, use the following steps in conjunction with the attached .bat file named Add_LoginToDB.zip :

1. Shut down all SQL tools such as SQL Enterprise Manager or SQL Management Studio

2. Stop the AMTConfig Service from the mmc Services console.

3. In mmc Services, stop the IIS admin service.

4. Close all Altiris Consoles.

5. Log onto the Notification Server as the account that was set when installing Intel SCS (if you used a silent install this will be the NS Application Identity).

6. Edit the downloaded script as follows:

1. Change the first line to @echo on - This will allow us to watch the complete script including authentication or security errors.

2. At the line set USER=TEST\ADMINISTRATOR - change the user context to the admin user you used to install SCS (you should be logged in as this user).

3. Ensure the line set SCRIPTS="C:\Program Files\Intel\AMTConfServer\DB" - is set to the correct install path.

4. Change the line set DB_SERVER=localhost\SQLMSDE - to the name of the SQL instance including the server name. If running the default single instance, it will usually be simply the server name of the SQL Server. If it is a specific instance, use the server name \ name of the instance.

7. Save the script and place it at this location: C:\Program Files\Intel\AMTConfServer\DB.

8. Now open a command prompt and browse to the above location.

9. Execute the script. The text will let you know if it was successful or if a problem occurred.

10. If no error occurred it's possible the above procedure resolved the issue. Note that at the beginning of the procedure we closed down potential file-lock applications or interfaces, which may have resolved the issue.

III. SCS Upgrade from version 1.3 to 3.0

This issue stems from an incompatibility between the two versions. Opposite to standard assumptions, the 1.3 version of SCS was released after version 3.0 from Intel. Version 1.3 was a hot fix to resolve an issue with the AMTConfig service crashing. Due to this problem it became expedient to find a way to upgrade those on 1.3 to 3.0 since Out of Band 6.2 required Intel SCS 3.0.

See the resolution section for steps on how to resolve this issue.

Issue Resolutions

The following resolutions correspond in number to the Issue Causes listed in the preceding section. The causes area exclusively unique, meaning only the resolution listed for the specific cause will resolve the issue for that instance.

I. SQL Security Model Resolution

The following procedures will change SQL to act in mixed mode.

In Microsoft SQL Server 2005, follow these steps to change the security mode:

1. Open Microsoft SQL Server Management Studio.

2. Right-click on the instance (if installed locally with a default instance it will be the name of the server) and choose Properties.

3. Under the Select a Page pane, click on Security.

4. Under Server authentication select SQL Server and Windows Authentication mode.

1. This may require you to set a password on the SA account.

2. Click OK. The changes should be immediate.

In Microsoft SQL Server 2000, follow these steps to change the security mode:

1. Open SQL Enterprise Manager.

2. Right-click on the instance (if installed locally with a default instance it will be named ‘local') and choose Properties.

3. Click on the ‘Security' tab.

4. Under the ‘Authentication' heading change the radial option from ‘Windows Only' to ‘SQL Server and Windows'.

5. Click OK to apply the changes.

II. File Access and Permissions Resolution

The initial steps provided in the II. Section under the Issue Causes may address the issue if it is a file-lock issue. If so, great! If not, an error should have been thrown when the script ran. This should allow you to focus on where the permission problem is occurring.

Example: A recent issue stemmed from a botched install where the following registry key was created with incorrect permissions: HKLM | Software | Intel | AMTConfServer. This registry key only had a single user with rights. Even local Administrators could not delete or modify the key. The resolution steps are as follows:

1. Uninstall the Intel SCS Component.

2. Log in as the user shown to have permissions to this key.

3. Delete the key from AMTConfServer on down.

4. Log back in as the account you wish SCS to run under.

5. Shut down all SQL tools such as SQL Enterprise Manager or SQL Management Studio

6. Stop the AMTConfig Service from the mmc Services console.

7. In mmc Services, stop the IIS admin service.

8. Close all Altiris Consoles.

9. Run the Intel SCS Install again.

III. SCS Upgrade from Version 1.3 to 3.0 Resolution

If you've already tried to upgrade, follow these instructions:

The following items should be covered when referencing the steps below:

• SQL Database console: Make sure all SQL consoles are closed when you run the script.

• AMTConfig: Stop this service by the Services manager.

• IIS service: Stop the IIS process.

• Close all Altiris Consoles.

Steps:

1. Delete "%Program Files%\intel\AMTConfServer\DB" folder.

2. Copy all the files from the DB1.zip attached file to %sysdrive%\program files\intel\amtconfServer\Db.

3. Add the next value to the registry: HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\OOBSC String: "SkipSCSCheck" value: "yes".

4. Change in the SQL DB IntelAMT &gt; (Table) dbo.csti_configuration &gt; (Field) db_version to 1.1.

5. Edit the file Upgrade1_3to3_0wLOGIN.bat located at the Db location extracted above to the right data (SQL server name and Domain\user name).

6. Restart stopped services. You should now be able to connect to the database.

If you have not yet upgraded, these steps can be followed to upgrade:

1. Delete "%Program Files%\intel\AMTConfServer\DB" folder.

2. Copy all the files from the DB1.zip attached file to %sysdrive%\program files\intel\amtconfServer\Db.

3. Now run the upgrade for Out of Band Management 6.2.

Note: The attachment ZIP is password protected. The password= 1

Conclusion

Hopefully the information provided here will resolve all issues stemming from this error. Updates will be made when possible as additional details are known on the sources of this issue.

NOTE: To obtain the files mentioned in this post, please see the following link:

https://kb.altiris.com/article.asp?article=39534&p=1

I am been taking a two day class on C/C++ secure coding, a required class for every coder within my group at Intel. First, I am so thankful I mostly don’t code in C/C++ because as I learned in the class, it’s quite challenging to write secure code that is not susceptible to stack overflow attacks or any number of other attacks. My co-worker Sandeep who works on Intel AMT Switchbox and Guardpost, both entirely built in C/C++ is going to have a challenge.

This said, C# is not immune to security issues and there is an ongoing debate whether the Intel AMT DTK C# and C/C++ tools should complete a security review. One argument is that as long at Intel AMT is secure and does not expose vulnerabilities, any Intel AMT tool is also safe and does not need to be reviewed. On the other hand, many people use the DTK source code for other projects and which we make no claims of security; it’s probably not a bad idea to check.

Right now, the DTK is not being checked for any security issues, but there are so design considerations that can, at a high level, help with security. One of them is to minimize or remove completely any listening sockets. In Intel AMT Commander there is one listening for SNMP traps, in Intel AMT Terminal there is also a socket used to connect debug terminals to pass serial-over-LAN information thru for debugging. On the agent side, Intel AMT Outpost have no incoming sockets, its powerful serial agent is connected to the serial-over-LAN COM port and so, relies on Intel AMT authentication.

I would like to invite the community to comment or post me directly any security issues you find with the DTK. I will certainly try my best to fix all of the issues.

Ylian (Intel AMT Blog)